I don't think our policy engine is currently capable of handling nested scope checks like this. This use case is certainly something we need to strive for as we separate role checks from scope checks in the future. The scope check in Kristi's example would consist of checking that the project in the request 9836e076391549c2915c15ae6b51d12c actually belongs in the domain of the scoped token. The lack of this behavior is consistent across other service as well.